Sunday, June 8, 2014

Beginning IPv6 - Understanding an IPv6 address

In this post we continue in the series of Beginning IPv6. While the previous posts dealt with understanding the 64-bit Interface ID portion of the IP address, this post focuses on the entire 128-bit, IP address. So without further ado, let's look at an IPv6 address from the perspective of RFC 4193 - Unique Local IPv6 Unicast Addresses and RFC 3513 - Internet Protocol Version 6 (IPv6) Addressing Architecture

RFC 4193 states the following: "These addresses are called Unique Local IPv6 Unicast Addresses... They are not expected to be routable on the global Internet."

Let's break this out.PrefixThe Prefix used to identify local IPv6 address is 7-bit and equals FC in Hex or 1111 110

LThe L is 1-bit and when set (1) implies that this prefix is locally assigned.This now means for a locally assigned prefix we should have 1111 1101. This is Hex FD while previously we used Hex FC.

Global IDThe global ID is 40-bit. It is calculated based on the formula below and MUST not be assigned sequentially or with well known numbers. There are sites which can help us to generate this which we will use later. 1) Obtain the current time of day in 64-bit NTP format [NTP].

2) Obtain an EUI-64 identifier from the system running this algorithm. If an EUI-64 does not exist, one can be created from a 48-bit MAC address as specified in [ADDARCH]. If an EUI-64 cannot be obtained or created, a suitably unique identifier, local to the node, should be used (e.g., system serial number).

3) Concatenate the time of day with the system-specific identifier in order to create a key.

4) Compute an SHA-1 digest on the key as specified in [FIPS, SHA1]; the resulting value is 160 bits.

5) Use the least significant 40 bits as the Global ID.

6) Concatenate FC00::/7, the L bit set to 1, and the 40-bit Global ID to create a Local IPv6 address prefix.

Subnet IDThis is a 16-bit value used to represent the subnet(s) used within the site(s)

Interface IDThis 64-bit is generated based on the Modified EUI64 format. This was explained in the previous post.

Now that we have an understanding of the format of the IPv6 address, let's put together an address using an online tool to generate a Global ID

FD33:e581:65d4:0000:a00:27ff:fe28:17d5/48

So from the above above we see we have the followingPrefix - FD - 1111 1101Global ID: 33:e581:65d4Subnet ID: 0000Interface ID: a00:27ff:fe28:17d5

Breaking it down furtherSince we use /48 we now have the following:Prefix - FD33:e581:65d4Subnet - 0000Interface ID: a00:27ff:fe28:17d5

Breaking it down even further. Now that we have address FD33:e581:65d4::a00:27ff:fe28:17d5/48. RFC 3513 says we can use :: to drop consecutive 0s. Let's do thatFD33:e581:65d4::a00:27ff:fe28:17d5/48

Voila!!! We did it. We should now have a better understanding of what an IPv6 address should look like and how to interpret it.

Below is a list of threat intelligence websites that you can use. Cymon.io is an excellent one as it searches around 200 different sources. If you’re looking for a more exhaustive list of threat intel sites, check out https://github.com/rshipp/awesome-malware-analysis